Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Jimmy_Intertouch
New Contributor II

FG40F lost all mgmt access after changing http and https port#

Hi Guys , I have strange issue here.

 

I lost all mgmt access both from WAN and LAN after changing the https and http mgmt port to 8443 and 8080. I can only ping the interfaces.

 

So i consoled in and reverted the changes back to port 443 and 80. But still no luck of access.

 

What do check now in CLI, i can paste cli output here if needed.

 

Thanks

 

Jimmy

1 Solution
Debbie_FTNT

Hey Jimmy,

the HTTPS port is set to 443 again, so that should be ok.

A few more things to check:

 

- you have HTTPS access enabled on the interface:

#config system interface

#edit <>
#show
-> the allowaccess setion should include 'https'

 

- you don't have trusted hosts set on the admin user restricting access:

#config system admin

#edit <admin>
#show
-> there should be no 'trusted-hosts' entry, or if there is, you must connect from one of the IPs/subnets listed

 

- SSLVPN is not using the same port as admin HTTPS access

#config vpn ssl setting

#show full | grep port

-> the line 'set port xxx' should not be 443
-> if it is, I would suggest changing it if SSLVPN is not in use.
-> if SSLVPN is in use, then the admin HTTPS port would need to be changed to something other than 443 again.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

8 REPLIES 8
akumarr
Staff
Staff

Hi Jimmy

Please provide the output for


sh full | grep set admin-sport
sh full | grep  set admin-port 

Does SSH/Telnet is working? 

Best regards,
ARUNKUMAR.R.
vsahu
Staff
Staff

Can you share the output of :
show full system global
show full system admin


Also, make sure the certificate is there in the global configuration

config system global
set admin-server-cert "self-sign"
end

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Restoring-a-configuration-causes-HTTP-HTTP...

Regards,
Vishal
Jimmy_Intertouch
New Contributor II

hi Thanks guys , confirming no telnet or ssh either.

@akumarr 

I tried

 

sh full | grep set admin-sport
sh full | grep set admin-port 

 

Got below:

 

FortiGate-40F # show full | grep set admin-sport
Usage: grep [-invfcABC] PATTERN
Options:
-i Ignore case distinctions
-n Print line number with output lines
-v Select non-matching lines
-f Print fortinet config context
-c Only print count of matching lines
-A Print NUM lines of trailing context
-B Print NUM lines of leading context
-C Print NUM lines of output context

 

@vsahu 

 

i have applied :

config system global
set admin-server-cert "self-sign"
end

 

no luck yet. please see 2 outputs below, per your request:

 

FortiGate-40F # show full system global
config system global
set admin-concurrent enable
set admin-console-timeout 0
set admin-forticloud-sso-login enable
set admin-hsts-max-age 15552000
set admin-https-pki-required disable
set admin-https-redirect enable
unset admin-https-ssl-banned-ciphers
set admin-https-ssl-ciphersuites TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256
set admin-https-ssl-versions tlsv1-2 tlsv1-3
set admin-lockout-duration 60
set admin-lockout-threshold 3
set admin-login-max 100
set admin-maintainer enable
set admin-port 80
set admin-reset-button enable
set admin-restrict-local disable
set admin-scp disable
set admin-server-cert "self-sign"
set admin-sport 433
set admin-ssh-grace-time 120
set admin-ssh-password enable
set admin-ssh-port 22
set admin-ssh-v1 disable
set admin-telnet enable
set admin-telnet-port 23
set admintimeout 480
set alias "FortiGate-40F"
set allow-traffic-redirect enable
set anti-replay strict
set arp-max-entry 131072
set auth-cert "Fortinet_Factory"
set auth-http-port 1000
set auth-https-port 1003
set auth-ike-saml-port 1001
set auth-keepalive disable
set auth-session-limit block-new
set auto-auth-extension-device enable
set autorun-log-fsck disable
set av-failopen pass
set av-failopen-session disable
set batch-cmdb enable
set block-session-timer 30
set br-fdb-max-entry 8192
set cert-chain-max 8
set cfg-save automatic
set check-protocol-header loose
set check-reset-range disable
set cli-audit-log disable
set cloud-communication enable
set clt-cert-req disable
set cmdbsvr-affinity "0"
set cpu-use-threshold 90
set csr-ca-attribute enable
set daily-restart disable
set default-service-source-port 1-65535
set device-idle-timeout 300
set dh-params 2048
set dnsproxy-worker-count 1
set dst enable
set extender-controller-reserved-network 10.252.0.1 255.255.0.0
set fds-statistics enable
unset fgd-alert-subscription
set fortiextender enable
set fortiextender-data-port 25246
set fortiextender-discovery-lockdown disable
set fortiextender-vlan-mode disable
set fortiservice-port 8013
set fortitoken-cloud enable
set gui-allow-default-hostname enable
set gui-cdn-usage enable
set gui-certificates disable
set gui-custom-language disable
set gui-date-format yyyy/MM/dd
set gui-date-time-source system
set gui-device-latitude ''
set gui-device-longitude ''
set gui-display-hostname disable
set gui-firmware-upgrade-warning enable
set gui-forticare-registration-setup-warning enable
set gui-fortigate-cloud-sandbox disable
set gui-ipv6 disable
set gui-local-out disable
set gui-replacement-message-groups disable
set gui-rest-api-cache disable
set gui-theme jade
set gui-wireless-opensecurity disable
set gui-workflow-management disable
set ha-affinity "0"
set honor-df enable
set hostname "FortiGate-40F"
set igmp-state-limit 3200
set internet-service-database standard
set ip-src-port-range 1024-25000
set ipsec-asic-offload enable
set ipsec-ha-seqjump-rate 10
set ipsec-hmac-offload enable
set ipsec-soft-dec-async disable
set ipv6-accept-dad 1
set ipv6-allow-anycast-probe disable
set ipv6-allow-traffic-redirect enable
set language english
set ldapconntimeout 500
set lldp-reception disable
set lldp-transmission disable
set log-ssl-connection disable
set log-uuid-address disable
set login-timestamp disable
set management-ip ''
set management-port-use-admin-sport enable
set management-vdom "root"
set max-route-cache-size 0
set memory-use-threshold-extreme 95
set memory-use-threshold-green 82
set memory-use-threshold-red 88
set miglogd-children 0
set multi-factor-authentication optional
set ndp-max-entry 0
set pmtu-discovery disable
set policy-auth-concurrent 0
set post-login-banner disable
set pre-login-banner disable
set private-data-encryption disable
set proxy-auth-lifetime disable
set proxy-auth-timeout 10
set proxy-cert-use-mgmt-vdom disable
set proxy-hardware-acceleration enable
set proxy-re-authentication-mode session
set proxy-resource-mode disable
set proxy-worker-count 0
set radius-port 1812
set reboot-upon-config-restore enable
set refresh 0
set remoteauthtimeout 5
set reset-sessionless-tcp disable
set revision-backup-on-logout disable
set revision-image-auto-backup disable
set scanunit-count 0
set security-rating-result-submission enable
set security-rating-run-on-schedule enable
set send-pmtu-icmp enable
set snat-route-change disable
set special-file-23-support disable
set speedtest-server disable
set ssh-enc-algo chacha20-poly1305@openssh.com aes256-ctr aes256-gcm@openssh.com
set ssh-kex-algo diffie-hellman-group-exchange-sha256 curve25519-sha256@libssh.org ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521
set ssh-mac-algo hmac-sha2-256 hmac-sha2-256-etm@openssh.com hmac-sha2-512 hmac-sha2-512-etm@openssh.com
set ssl-min-proto-version TLSv1-2
set ssl-static-key-ciphers enable
set sslvpn-cipher-hardware-acceleration enable
set sslvpn-ems-sn-check disable
set sslvpn-kxp-hardware-acceleration enable
set sslvpn-max-worker-count 0
set sslvpn-plugin-version-check enable
set strict-dirty-session-check enable
set strong-crypto enable
set switch-controller enable
set switch-controller-reserved-network 10.255.0.0 255.255.0.0
set sys-perf-log-interval 5
set tcp-halfclose-timer 120
set tcp-halfopen-timer 10
set tcp-option enable
set tcp-rst-timer 5
set tcp-timewait-timer 1
set timezone 04
set traffic-priority tos
set traffic-priority-level medium
set two-factor-email-expiry 60
set two-factor-fac-expiry 60
set two-factor-ftk-expiry 60
set two-factor-ftm-expiry 72
set two-factor-sms-expiry 60
set udp-idle-timer 180
set url-filter-count 1
set user-device-store-max-devices 20114
set user-device-store-max-unified-mem 100573388
set user-device-store-max-users 20114
set user-server-cert "Fortinet_Factory"
set vdom-mode no-vdom
set vip-arp-range restricted
set wad-csvc-cs-count 1
set wad-csvc-db-count 0
set wad-memory-change-granularity 10
set wad-source-affinity enable
set wad-worker-count 0
set wifi-ca-certificate "Fortinet_Wifi_CA"
set wifi-certificate "Fortinet_Wifi"
set wimax-4g-usb disable
set wireless-controller enable
set wireless-controller-port 5246
set fds-statistics-period 60
end

 

FortiGate-40F # show full system admin
config system admin
edit "admin"
set remote-auth disable
set peer-auth disable
set trusthost1 0.0.0.0 0.0.0.0
set trusthost2 0.0.0.0 0.0.0.0
set trusthost3 0.0.0.0 0.0.0.0
set trusthost4 0.0.0.0 0.0.0.0
set trusthost5 0.0.0.0 0.0.0.0
set trusthost6 0.0.0.0 0.0.0.0
set trusthost7 0.0.0.0 0.0.0.0
set trusthost8 0.0.0.0 0.0.0.0
set trusthost9 0.0.0.0 0.0.0.0
set trusthost10 0.0.0.0 0.0.0.0
set ip6-trusthost1 ::/0
set ip6-trusthost2 ::/0
set ip6-trusthost3 ::/0
set ip6-trusthost4 ::/0
set ip6-trusthost5 ::/0
set ip6-trusthost6 ::/0
set ip6-trusthost7 ::/0
set ip6-trusthost8 ::/0
set ip6-trusthost9 ::/0
set ip6-trusthost10 ::/0
set accprofile "super_admin"
set comments ''
set vdom "root"
unset ssh-public-key1
unset ssh-public-key2
unset ssh-public-key3
set ssh-certificate ''
set schedule ''
set two-factor disable
set email-to ''
set sms-server fortiguard
set sms-phone ''
set guest-auth disable
set password ENC SH2miEP/9s4waGLjup1pVaR4X4Cl39ic04LRbHxcd+Si5j/6t82eNLlQBs0Fr8=
set allow-remove-admin-session enable
next
end

 

akumarr

Please run the below-mentioned command on Fortigate CLI and provide me the output.

diag deb disable
diag deb reset
diag deb flow filter port 22
diag deb flow filter daddr x.x.x.x  >>> replace x.x.x.x with Fortigate IP
diag deb flow sh fun en
diag deb flow trace start 999
diag deb en

After running the commands access the device using SSH, as soon as you get the error disable the debug and share the output, to disable the debug use "diag deb disable"


Best regards,
ARUNKUMAR.R.
Jimmy_Intertouch

thanks, please see logs below, i have hid my WAN ip with xxx.xxx.xxx.xxx


FortiGate-40F # id=65308 trace_id=1 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 220.240.195.225:53561->xxx.xxx.xxx.xxx:22) tun_id=0.0.0.0 from wan. flag [S], seq 331464560, ack 0, win 64240"
id=65308 trace_id=1 func=init_ip_session_common line=6076 msg="allocate a new session-00b60f48, tun_id=0.0.0.0"
id=65308 trace_id=1 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-xxx.xxx.xxx.xxx via root"
id=65308 trace_id=1 func=fw_local_in_handler line=522 msg="iprope_in_check() check failed on policy 0, drop"
id=65308 trace_id=2 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 220.240.195.225:53561->xxx.xxx.xxx.xxx:22) tun_id=0.0.0.0 from wan. flag [S], seq 331464560, ack 0, win 64240"
id=65308 trace_id=2 func=init_ip_session_common line=6076 msg="allocate a new session-00b612b4, tun_id=0.0.0.0"
id=65308 trace_id=2 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-xxx.xxx.xxx.xxx via root"
id=65308 trace_id=2 func=fw_local_in_handler line=522 msg="iprope_in_check() check failed on policy 0, drop"
id=65308 trace_id=3 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 220.240.195.225:53561->xxx.xxx.xxx.xxx:22) tun_id=0.0.0.0 from wan. flag [S], seq 331464560, ack 0, win 64240"
id=65308 trace_id=3 func=init_ip_session_common line=6076 msg="allocate a new session-00b61a5d, tun_id=0.0.0.0"
id=65308 trace_id=3 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-xxx.xxx.xxx.xxx via root"
id=65308 trace_id=3 func=fw_local_in_handler line=522 msg="iprope_in_check() check failed on policy 0, drop"
id=65308 trace_id=4 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 220.240.195.225:53561->xxx.xxx.xxx.xxx:22) tun_id=0.0.0.0 from wan. flag [S], seq 331464560, ack 0, win 64240"
id=65308 trace_id=4 func=init_ip_session_common line=6076 msg="allocate a new session-00b62902, tun_id=0.0.0.0"
id=65308 trace_id=4 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-xxx.xxx.xxx.xxx via root"
id=65308 trace_id=4 func=fw_local_in_handler line=522 msg="iprope_in_check() check failed on policy 0, drop"
id=65308 trace_id=5 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 220.240.195.225:53561->xxx.xxx.xxx.xxx:22) tun_id=0.0.0.0 from wan. flag [S], seq 331464560, ack 0, win 64240"
id=65308 trace_id=5 func=init_ip_session_common line=6076 msg="allocate a new session-00b6476d, tun_id=0.0.0.0"
id=65308 trace_id=5 func=vf_ip_route_input_common line=2605 msg="find a route: flag=80000000 gw-xxx.xxx.xxx.xxx via root"
id=65308 trace_id=5 func=fw_local_in_handler line=522 msg="iprope_in_check() check failed on policy 0, drop"

akumarr

Dear Customer.
Have you configured any Local in policy?

Best regards,
ARUNKUMAR.R.
Debbie_FTNT

Hey Jimmy,

the HTTPS port is set to 443 again, so that should be ok.

A few more things to check:

 

- you have HTTPS access enabled on the interface:

#config system interface

#edit <>
#show
-> the allowaccess setion should include 'https'

 

- you don't have trusted hosts set on the admin user restricting access:

#config system admin

#edit <admin>
#show
-> there should be no 'trusted-hosts' entry, or if there is, you must connect from one of the IPs/subnets listed

 

- SSLVPN is not using the same port as admin HTTPS access

#config vpn ssl setting

#show full | grep port

-> the line 'set port xxx' should not be 443
-> if it is, I would suggest changing it if SSLVPN is not in use.
-> if SSLVPN is in use, then the admin HTTPS port would need to be changed to something other than 443 again.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
Jimmy_Intertouch

thank you

 

- SSLVPN is not using the same port as admin HTTPS access

#config vpn ssl setting

#show full | grep port

-> the line 'set port xxx' should not be 443
-> if it is, I would suggest changing it if SSLVPN is not in use.
-> if SSLVPN is in use, then the admin HTTPS port would need to be changed to something other than 443 again.

----------------

 

thats seems to be the fix, after changing it from 443 to something else , bingo !

 

thanks guys

Labels
Top Kudoed Authors